check that this order belongs to this user

2016-05-12 18:14:30 +02:00 · 2016-05-12 18:14:30 +02:00 · 29c0696f3f
parent bbee72c67f
commit 29c0696f3f
1 changed files with 5 additions and 0 deletions
--- a/shop/views.py
+++ b/shop/views.py
@ -35,6 +35,11 @@ class CheckoutView(LoginRequiredMixin, DetailView):
    template_name = 'shop/order_detail.html'
    context_object_name = 'order'

+    def get(self, request, *args, **kwargs):
+        if self.get_object().user != request.user:
+            raise Http404("Order not found")
+        return self.render_to_response(self.get_context_data())
+

 class PaymentView(LoginRequiredMixin, FormView):
    """